Lock 1P when remote control/observe is initiated

twilsonco
twilsonco
Community Member
in Mac

Hello,

I have 1P installed on a work Mac that has multiple users. If I am logged into my user and another user initiates screen sharing and selects to "share screen" rather than "log in without interrupting", then they immediately see my screen contents, which could contain a revealed password in 1P. Could 1P have a feature to, if unlocked, lock when a screen sharing session is initiated? Not to lock when screen sharing is active, but only when initiated: e.g. I still want to be able to use it when I am the one accessing the machine remotely, but I want it to lock to prevent a remote user from seeing sensitive information.

Now, I understand that I'm breaking proper security practices by having it installed on a work machine in the first place, but let's just ignore that for now. At the very least, macOS is very good at keeping other users' file space unaccessible—you can't even sudo cd into another user's home folder.

If Apple would expand on the permission asking feature of ARD so that it would time out to yes, then I could just turn that on and be sure to close 1P before granting permission to a remote user, but the lack of a timeout means that I can't remote into the machine if no one's sitting at it. But I digress.

Thanks,

Tim

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:lock when screen sharing

Comments

  • Lars
    Lars
    1Password Alumni

    @twilsonco

    Could 1P have a feature to, if unlocked, lock when a screen sharing session is initiated? Not to lock when screen sharing is active, but only when initiated.

    Probably not. I'm not a coder, but there are limited things we can detect about macOS, and I'm not sure screen-sharing initiation is one of them. However, even if it is, macOS already provides you a way to secure this. Users wanting to screen share with you should need to ask your permission before they see your screen. The only other way to get right into your screen would be if they had your Mac account password -- which I assume you don't give out, or if you are both signed in using the same Apple ID, something else I would hope you're not doing.

    If I am logged into my user and another user initiates screen sharing and selects to "share screen" rather than "log in without interrupting", then they immediately see my screen contents, which could contain a revealed password in 1P.

    Not unless the built-in safeguards that let you choose who can see your screen via remote aren't functioning properly. Even in such a case, although it might contain a revealed password in 1Password, we allow you take precautions that discourage both virtual and real-life "shoulder surfers" who might have wandering eyes: obfuscating the password with dots (the "Conceal Passwords" check-box in Preferences > Security. And your suddenly-visible screen could also contain your browser history with who knows what kind of potentially sensitive information, or your Keynote Presentation of How To Take Over The World, or plans for your secret lair...in other words, plenty of things you might not want a casual screen-sharer to see/know, but which are well outside of 1Password's purview. I'll pass along your request, but I suspect this one won't be a high priority due to the fact that this falls more in the realm of the OS and the user's own security tolerances. Thanks for taking the time to let us know your use-case, however! :)

  • twilsonco
    twilsonco
    Community Member

    Detecting remote access

    there are limited things we can detect about macOS, and I'm not sure screen-sharing initiation is one of them

    Actually, there are a couple ways of going about this that don't require any additional software.

    Using UI scripting

    So I couldn't come up with a functional AppleScript to do this, but if you enable System Preferences->Sharing->Remote Management->Computer Settings->Show Remote Management status in menu bar then you get this icon in the menubar when no one is controlling/observing remotely, and it changes to when a connection is established.
    Further, the two images below show the contents of the dropdown menu if you click on this menu bar item when (not) being remotely observed/controlled. The top menu item changes from (on my machine, at least) No Administrator to Assisted Mode.

    This information is accessible through UI scripting. The tool Apple provides, UIElementInspector, outputs the following when the Assisted Mode menu item is hovered over:

    This can be accessed through AppleScript using a command like the following

    tell application "System Events"
    exists menu item "Assisted Mode" of menu "Screen Sharing" of menu bar item "Screen Sharing" of menu bar 2 of application process "SSMenuAgent"
end tell

    In this case, however, I was unable to get a script working that would output a simple dialog indicating whether a remote session was active based on that command, though I didn't spend much time working on it.

    The downside of this approach is that the user must enable the Show Remote Management status in menu bar option, which adds a potentially unwanted icon to their menu bar.

    From command line

    A better, and more reliable, option is to go through the command line.
    The command netstat -n | grep 5900 will show that a user is currently viewing (or controlling) via Apple Remote Desktop (ARD) or through VNC (i.e. through port 5900), running the command while remoting into my own machine yields

    tcp4 0 0 127.0.0.1.5900 127.0.0.1.61786 ESTABLISHED
    tcp4 0 0 127.0.0.1.61786 127.0.0.1.5900 ESTABLISHED

    where running the command without being logged in yields

    tcp4 0 0 127.0.0.1.61786 127.0.0.1.5900 TIME_WAIT

    The two IP addresses are the local and foreign address, which is why they're the same, and the port 5900 is for ARD/VNC access. The presence of ESTABLISHED indicates that someone it remoting in at present. This could easily be turned into a method for checking for such access, and I'm sure there are others.

    Requesting permission

    macOS already provides you a way to secure this. Users wanting to screen share with you should need to ask your permission before they see your screen.

    This option does exist, but remote access of the machine is limited to when someone is sitting at it to give permission. The machine in question here is used by many in my group at all hours, so this limitation effectively removes this as an option.

    The only other way to get right into your screen would be if they had your Mac account password

    This is incorrect. Under System Preferences->Sharing->Remote Management you can select which (or all) users are able to login remotely. If they're on the list then they can login with their own credentials and immediately see and control the machine. This is true for both administrator and standard user accounts. If a user is not on this list then they cannot see or control the machine except by requesting permission, which again requires that someone be at the machine to grant it. These options are set globally as well, rather than on a per-user basis, so there's very little flexibility here.

    Otherwise

    your suddenly-visible screen could also contain your browser history with who knows what kind of potentially sensitive information, or your Keynote Presentation of How To Take Over The World, or plans for your secret lair...in other words, plenty of things you might not want a casual screen-sharer to see/know

    This is quite true, but I think the possibility of a PowerPoint window containing critically sensitive information is rather low, while the possibility of 1Password containing sensitive information is very high. Also, PowerPoint isn't advertised as a method of storing one's sensitive information by a company that routinely nixes potential features based on security concerns—an attribute of Agile Bits that I have mixed feelings about :)

    At some point I might be bored enough to write a background AppleScript or command line utility that will close or minimize the 1P window when a remote session is initiated, though my options for controlling 1P are also limited because of Agile Bits' understandable caution to allow such things (I guess I could write a workflow through Alfred or something and Enable Spotlight and 3rd party app integrations in the 1P preferences).

    I think that this is a very doable feature, and that it's implementation would make sense given the ease with which macOS can be configured for multi-user and remote access. The combination of these two features (multiple users and remote access), especially considering that even a standard user can remote in and view the screen without any indication (the "show status in menu bar" option is disabled by default) to the current user, really necessitates a higher degree of customization on Apple's part, if you ask me—but that wouldn't help to sell iPhones, so I won't hold my breath. Given that Apple is unlikely to change this anytime soon, the impetus is on companies like Agile Bits to implement a solution to protect its customers' data.

    Considering that 1P can be configured to auto lock on sleep, when screen saver is activated, when main windows is closed, when fast user switching, and after computer is idle for a user-set number of minutes, "when screen sharing session starts" seems like a welcome, and obvious, addition to that list! In 10 minutes I, also not a macOS coder, found multiple methods for doing this, and it doesn't seem much harder than detecting the display, sleep, or screen saver state.

    Smörgåsbord for thought :)

  • Lars
    Lars
    1Password Alumni

    @twilsonco - thanks for the comprehensive reply. I didn't realize you were talking about letting users control your Mac; when you said "screen sharing" in the top paragraph, I took that to mean you were referring to System Preferences > Sharing > Screen Sharing, not using ARD via System > Sharing > Remote Management.

    We'll certainly take your ideas under advisement, and thanks again for taking the time to state your use-case.

  • twilsonco
    twilsonco
    Community Member
    edited June 2018

    Happy to contribute.

    Actually looking it up and I’m wrong. I am using “Screen sharing,” rather than ARD (which is an $80 app in the Mac App Store), though it’s enabled on the host Mac via Remote Management rather than Sharing -> Screen Sharing. I had thought ARD was simply the name of the Apple flavor of VNC used by the CoreServices/Screen Sharing.app and (I’m pretty sure, but now I’m wondering) Remotix. It seems that even with Sharing -> Screen Sharing I’d encounter the problem of users needing permission to share the screen, rendering the host Mac uncontrollable (or, OUT OF CONTROL!!!) if unpersoned, since permission is required if a user is already logged in, which is always the case because the Mac in question is a workstation that stays logged into a generic user account.

    Still learning new things about how the Mac works...

  • AGAlumB
    AGAlumB
    1Password Alumni

    Indeed, there's a lot to consider. But we do always need to recommend separate user accounts for security reasons. After all, giving remote access to your "screen" is effectively the same as unlocking your Mac and 1Password, and then handing it to them, even though it may not feel that way. Food for thought.

This discussion has been closed.